From owner-freebsd-stable@FreeBSD.ORG  Wed Sep  6 06:32:09 2006
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: freebsd-stable@freebsd.org
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 242F116A4E2;
	Wed,  6 Sep 2006 06:32:09 +0000 (UTC) (envelope-from ast@marabu.ch)
Received: from oneplusone.ch (oneplusone.ch [212.55.208.170])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2141E43D6E;
	Wed,  6 Sep 2006 06:32:03 +0000 (GMT) (envelope-from ast@marabu.ch)
Received: from oneplusone.ch (localhost [127.0.0.1])
	by oneplusone.ch (8.13.6/8.13.6) with ESMTP id k866W1PD056275
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 6 Sep 2006 08:32:02 +0200 (CEST) (envelope-from ast@marabu.ch)
Received: (from uucp@localhost)
	by oneplusone.ch (8.13.6/8.13.6/Submit) with UUCP id k866W176056274;
	Wed, 6 Sep 2006 08:32:01 +0200 (CEST) (envelope-from ast@marabu.ch)
Received: from pano.marabu.ch (localhost [127.0.0.1])
	by pano.marabu.ch (8.13.6/8.13.6) with ESMTP id k866TDg5045087;
	Wed, 6 Sep 2006 08:29:13 +0200 (CEST)
	(envelope-from ast@pano.marabu.ch)
Received: (from ast@localhost)
	by pano.marabu.ch (8.13.6/8.13.6/Submit) id k866TDvL045086;
	Wed, 6 Sep 2006 08:29:13 +0200 (CEST) (envelope-from ast)
Date: Wed, 6 Sep 2006 08:29:13 +0200
From: Adrian Steinmann <ast@webgroup.ch>
To: freebsd-stable@freebsd.org
Message-ID: <20060906062912.GA44900@webgroup.ch>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2
	(oneplusone.ch [127.0.0.1]); Wed, 06 Sep 2006 08:32:02 +0200 (CEST)
X-Mailfilter: egfilter version 1.14;
	Archiver [msg.gLtkp1LL] (oneplusone.ch [127.0.0.1]);
	Wed, 06 Sep 2006 08:32:02 +0200 (CEST)
X-AntiVirus: checked by AntiVir Milter (version: 1.1.2-1; AVE: 7.1.1.11;
	VDF: 6.35.1.188; host: oneplusone.ch)
Cc: mr@freebsd.org, pjd@freebsd.org
Subject: FAST_IPSEC + device padlock + device crypto + IKE broken?
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Sep 2006 06:32:09 -0000

In my kernel config, I have

    options FAST_IPSEC
    device padlock
    device crypto

which enables the crypto acceleration in VIA C3 and C7 CPUs.  IPSEC
with static rijndael-cbc keys of length 128, 192, and 256 makes use
of the acceleration when sysctl net.inet.ipsec.crypto_support=1;
- so far, so good.

Yet when I configure racoon from ipsec-tools, racoon2, or iked for
dynamic keying, I get a "PFKEYv2 UPDATE" (or similar) failure. When
I set net.inet.ipsec.crypto_support=0 these same dynamic ike key
configurations work, albeit without HW crypto accelleration.

Has anyone else observed this and know what the problem is?

Adrian